- name: Create orchestrator namespace
  hosts: osbs_masters_stg[0]:osbs_masters[0]
  roles:
  - role: osbs-namespace
    osbs_orchestrator: true
    osbs_worker_clusters: "{{ osbs_conf_worker_clusters }}"
    osbs_cpu_limitrange: "{{ osbs_orchestrator_cpu_limitrange }}"
    osbs_nodeselector: "{{ osbs_orchestrator_default_nodeselector|default('') }}"
    osbs_sources_command: "{{ osbs_conf_sources_command }}"
    osbs_readwrite_users: "{{ osbs_conf_readwrite_users }}"
    osbs_service_accounts: "{{ osbs_conf_service_accounts }}"
    koji_use_kerberos: true
    koji_kerberos_keytab: "FILE:/etc/krb5.osbs_{{ osbs_url }}.keytab"
    koji_kerberos_principal: "osbs/{{osbs_url}}@{{ ipa_realm }}"
  tags:
    - osbs-orchestrator-namespace

- name: setup reactor config secret in orchestrator namespace
  hosts: osbs_masters_stg[0]:osbs_masters[0]
  roles:
  - role: osbs-secret
    osbs_secret_name: reactor-config-secret
    osbs_secret_files:
    - source: "/tmp/{{ osbs_namespace }}-{{ env }}-reactor-config-secret.yml"
      dest: config.yaml
  tags:
    - osbs-orchestrator-namespace

- name: setup client config secret in orchestrator namespace
  hosts: osbs_masters_stg[0]:osbs_masters[0]
  roles:
  - role: osbs-secret
    osbs_secret_name: client-config-secret
    osbs_secret_files:
    - source: "/tmp/{{ osbs_namespace }}-{{ env }}-client-config-secret.conf"
      dest: osbs.conf
  tags:
    - osbs-orchestrator-namespace

- name: setup ODCS secret in orchestrator namespace
  hosts: osbs_masters_stg[0]:osbs_masters[0]
  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
  roles:
  - role: osbs-secret
    osbs_secret_name: odcs-oidc-secret
    osbs_secret_files:
    - source: "{{ private }}/files/osbs/{{ env }}/odcs-oidc-token"
      dest: token
  tags:
    - osbs-orchestrator-namespace

- name: Save orchestrator token x86_64
  hosts: osbs_masters_stg[0]:osbs_masters[0]
  tasks:
    - name: get orchestrator service account token
      command: "oc -n {{ osbs_worker_namespace }} sa get-token orchestrator"
      register: orchestator_token_x86_64
    - name: save the token locally
      local_action: >
        copy
        content="{{ orchestator_token_x86_64.stdout }}"
        dest=/tmp/.orchestator-token-x86_64
        mode=0400
  tags:
    - osbs-orchestrator-namespace

- name: setup orchestrator token for x86_64-osbs
  hosts: osbs_masters_stg[0]:osbs_masters[0]
  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
  roles:
  - role: osbs-secret
    osbs_secret_name: x86-64-orchestrator
    osbs_secret_files:
    - source: "/tmp/.orchestator-token-x86_64"
      dest: token

  post_tasks:
  - name: Delete the temporary secret file
    local_action: >
      file
      state=absent
      path="/tmp/.orchestator-token-x86_64"
  tags:
    - osbs-orchestrator-namespace

- name: Save orchestrator token aarch64
  hosts: osbs_aarch64_masters_stg[0]:osbs_aarch64_masters[0]
  tasks:
    - name: get orchestrator service account token
      command: "oc -n {{ osbs_worker_namespace }} sa get-token orchestrator"
      register: orchestator_token_aarch64
    - name: save the token locally
      local_action: >
        copy
        content="{{ orchestator_token_aarch64.stdout }}"
        dest=/tmp/.orchestator-token-aarch64
        mode=0400
  tags:
    - osbs-orchestrator-namespace

- name: setup orchestrator token for aarch64-osbs
  hosts: osbs_masters_stg[0]:osbs_masters[0]
  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
  roles:
  - role: osbs-secret
    osbs_secret_can_fail: true
    osbs_secret_name: aarch64-orchestrator
    osbs_secret_files:
    - source: "/tmp/.orchestator-token-aarch64"
      dest: token

  post_tasks:
  - name: Delete the temporary secret file
    local_action: >
      file
      state=absent
      path="/tmp/.orchestator-token-aarch64"

  tags:
    - osbs-orchestrator-namespace

- name: Add dockercfg secret to allow registry push orchestrator
  hosts: osbs_masters_stg[0]:osbs_masters[0]
  tags:
    - osbs-dockercfg-secret
  user: root

  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  pre_tasks:
    - name: Create the username:password string needed by the template
      set_fact:
        auth_info_prod: "{{candidate_registry_osbs_prod_username}}:{{candidate_registry_osbs_prod_password}}"
        auth_info_stg: "{{candidate_registry_osbs_stg_username}}:{{candidate_registry_osbs_stg_password}}"

    - name: Create the dockercfg secret file
      local_action: >
        template
        src="{{ files }}/osbs/dockercfg-{{env}}-secret.j2"
        dest="/tmp/.dockercfg{{ env }}"
        mode=0400

  roles:
  - role: osbs-secret
    osbs_secret_name: "v2-registry-dockercfg"
    osbs_secret_type: kubernetes.io/dockercfg
    osbs_secret_files:
    - source: "/tmp/.dockercfg{{ env }}"
      dest: .dockercfg

  post_tasks:
    - name: Delete the temporary secret file
      local_action: >
        file
        state=absent
        path="/tmp/.dockercfg{{ env }}"
